Deps.rs

thinkgos / goup-rs

[![dependency status](https://deps.rs/repo/github/thinkgos/goup-rs/status.svg)](https://deps.rs/repo/github/thinkgos/goup-rs)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate goup-rs

Dependencies

(26 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.102up to date
 log^0.40.4.29up to date
 regex^1.121.12.3up to date
 reqwest^0.130.13.3up to date
 serde^11.0.228up to date
 serde_json^11.0.149up to date
 which^8.08.0.2up to date
 clap^4.64.6.1up to date
 clap_complete^4.64.6.3up to date
 dialoguer^0.120.12.0up to date
 indicatif^0.180.18.4up to date
 self_update^0.440.44.0up to date
 shadow-rs^2.02.0.0up to date
 env_logger^0.110.11.10up to date
 chrono^0.4.430.4.44up to date
 sha2^0.110.11.0up to date
 hex^0.40.4.3up to date
 flate2^1.11.1.9up to date
 tar ⚠️^0.40.4.45maybe insecure
 zip^8.58.6.0up to date
 dirs^6.06.0.0up to date
 semver^1.01.0.28up to date
 owo-colors^44.3.0up to date
 scraper^0.260.26.0up to date
 dotenvy^0.150.15.7up to date
 junction^1.42.0.0out of date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 tempfile^33.27.0up to date
 temp-env^0.30.3.6up to date

Build dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 version_check^0.90.9.5up to date
 shadow-rs^2.02.0.0up to date

Security Vulnerabilities

tar: `unpack_in` can chmod arbitrary directories by following symlinks

RUSTSEC-2026-0067

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

This issue has been fixed in version 0.4.45.

tar: tar-rs incorrectly ignores PAX size headers if header size is nonzero

RUSTSEC-2026-0068

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.

As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.

Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size — other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers.

This issue has been fixed in version 0.4.45.